diff --git a/.github/policies/msgraph-sdk-php-branch-protection.yml b/.github/policies/msgraph-sdk-php-branch-protection.yml new file mode 100644 index 00000000000..9f647f6ab91 --- /dev/null +++ b/.github/policies/msgraph-sdk-php-branch-protection.yml @@ -0,0 +1,79 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# File initially created using https://github.com/MIchaelMainer/policyservicetoolkit/blob/main/branch_protection_export.ps1. + +name: msgraph-sdk-php-branch-protection +description: Branch protection policy for the msgraph-sdk-php repository +resource: repository +configuration: + branchProtectionRules: + + - branchNamePattern: dev + # This branch pattern applies to the following branches as of 06/12/2023 10:31:17: + # dev + + # Specifies whether this branch can be deleted. boolean + allowsDeletions: false + # Specifies whether forced pushes are allowed on this branch. boolean + allowsForcePushes: false + # Specifies whether new commits pushed to the matching branches dismiss pull request review approvals. boolean + dismissStaleReviews: true + # Specifies whether admins can overwrite branch protection. boolean + isAdminEnforced: false + # Indicates whether "Require a pull request before merging" is enabled. boolean + requiresPullRequestBeforeMerging: true + # Specifies the number of pull request reviews before merging. int (0-6). Should be null/empty if PRs are not required + requiredApprovingReviewsCount: 1 + # Require review from Code Owners. Requires requiredApprovingReviewsCount. boolean + requireCodeOwnersReview: true + # Are commits required to be signed. boolean. TODO: all contributors must have commit signing on local machines. + requiresCommitSignatures: false + # Are conversations required to be resolved before merging? boolean + requiresConversationResolution: true + # Are merge commits prohibited from being pushed to this branch. boolean + requiresLinearHistory: false + # Required status checks to pass before merging. Values can be any string, but if the value does not correspond to any existing status check, the status check will be stuck on pending for status since nothing exists to push an actual status + requiredStatusChecks: + - check-php-version-matrix + # Require branches to be up to date before merging. Requires requiredStatusChecks. boolean + requiresStrictStatusChecks: true + # Indicates whether there are restrictions on who can push. boolean. Should be set with whoCanPush. + restrictsPushes: false + # Restrict who can dismiss pull request reviews. boolean + restrictsReviewDismissals: false + + - branchNamePattern: main + # This branch pattern applies to the following branches as of 06/12/2023 10:31:17: + # main + + # Specifies whether this branch can be deleted. boolean + allowsDeletions: false + # Specifies whether forced pushes are allowed on this branch. boolean + allowsForcePushes: false + # Specifies whether new commits pushed to the matching branches dismiss pull request review approvals. boolean + dismissStaleReviews: true + # Specifies whether admins can overwrite branch protection. boolean + isAdminEnforced: false + # Indicates whether "Require a pull request before merging" is enabled. boolean + requiresPullRequestBeforeMerging: true + # Specifies the number of pull request reviews before merging. int (0-6). Should be null/empty if PRs are not required + requiredApprovingReviewsCount: 1 + # Require review from Code Owners. Requires requiredApprovingReviewsCount. boolean + requireCodeOwnersReview: false + # Are commits required to be signed. boolean. TODO: all contributors must have commit signing on local machines. + requiresCommitSignatures: false + # Are conversations required to be resolved before merging? boolean + requiresConversationResolution: true + # Are merge commits prohibited from being pushed to this branch. boolean + requiresLinearHistory: false + # Required status checks to pass before merging. Values can be any string, but if the value does not correspond to any existing status check, the status check will be stuck on pending for status since nothing exists to push an actual status + requiredStatusChecks: + - check-php-version-matrix + # Require branches to be up to date before merging. Requires requiredStatusChecks. boolean + requiresStrictStatusChecks: true + # Indicates whether there are restrictions on who can push. boolean. Should be set with whoCanPush. + restrictsPushes: false + # Restrict who can dismiss pull request reviews. boolean + restrictsReviewDismissals: false + diff --git a/.github/policies/resourceManagement.yml b/.github/policies/resourceManagement.yml new file mode 100644 index 00000000000..7a81d0702a9 --- /dev/null +++ b/.github/policies/resourceManagement.yml @@ -0,0 +1,101 @@ +id: +name: GitOps.PullRequestIssueManagement +description: GitOps.PullRequestIssueManagement primitive +owner: +resource: repository +disabled: false +where: +configuration: + resourceManagementConfiguration: + scheduledSearches: + - description: + frequencies: + - hourly: + hour: 1 + filters: + - isIssue + - isOpen + - hasLabel: + label: 'Needs: Author Feedback' + - hasLabel: + label: no-recent-activity + - noActivitySince: + days: 3 + - isNotLabeledWith: + label: service bug + actions: + - closeIssue + - description: + frequencies: + - hourly: + hour: 1 + filters: + - isIssue + - isOpen + - hasLabel: + label: 'Needs: Author Feedback' + - noActivitySince: + days: 4 + - isNotLabeledWith: + label: no-recent-activity + actions: + - addLabel: + label: no-recent-activity + - addReply: + reply: This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **4 days**. It will be closed if no further activity occurs **within 3 days of this comment**. + - description: + frequencies: + - hourly: + hour: 1 + filters: + - isIssue + - isOpen + - hasLabel: + label: duplicate + - noActivitySince: + days: 1 + actions: + - addReply: + reply: This issue has been marked as duplicate and has not had any activity for **1 day**. It will be closed for housekeeping purposes. + - closeIssue + eventResponderTasks: + - if: + - payloadType: Issue_Comment + - isAction: + action: Created + - isActivitySender: + issueAuthor: True + - hasLabel: + label: 'Needs: Author Feedback' + then: + - addLabel: + label: 'Needs: Attention :wave:' + - removeLabel: + label: 'Needs: Author Feedback' + description: + - if: + - payloadType: Issues + - not: + isAction: + action: Closed + - hasLabel: + label: no-recent-activity + then: + - removeLabel: + label: no-recent-activity + description: + - if: + - payloadType: Issues + - labelAdded: + label: service bug + then: [] + description: + - if: + - payloadType: Pull_Request + - isAction: + action: Opened + then: + - addCodeFlowLink + description: +onFailure: +onSuccess: diff --git a/.github/workflows/bump-generated-sdk-version.yml b/.github/workflows/bump-generated-sdk-version.yml index 7f39d80ddb1..cedec2300cb 100644 --- a/.github/workflows/bump-generated-sdk-version.yml +++ b/.github/workflows/bump-generated-sdk-version.yml @@ -28,7 +28,7 @@ jobs: git config --global user.email "GraphTooling@service.microsoft.com" git config --global user.name "Microsoft Graph DevX Tooling" - name: Run increment script - run: php scripts/BumpPreviewSdkVersion.php + run: php scripts/BumpStableSdkVersion.php - name: Commit and push changes if any run: if git commit -am "Bump SDK version"; then git push origin $GITHUB_REF; fi diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index ed538eef712..68426c24b6d 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -37,3 +37,17 @@ jobs: - name: Run static analysis run: | vendor/bin/phpstan analyse --memory-limit=8G --error-format=github + + # The check-php-version-matrix returns success if all matrix jobs in build are successful; otherwise, it returns a failure. + # Use this as a PR status check for GitHub Policy Service instead of individual matrix entry checks. + check-php-version-matrix: + runs-on: ubuntu-latest + needs: validate-pull-request + if: always() + steps: + - name: All build matrix options are successful + if: ${{ !(contains(needs.*.result, 'failure')) }} + run: exit 0 + - name: One or more build matrix options failed + if: ${{ contains(needs.*.result, 'failure') }} + run: exit 1 diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..e138ec5d6a7 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ + + +## Security + +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). + +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). + +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). + +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). + + diff --git a/scripts/BumpPreviewSdkVersion.php b/scripts/BumpPreviewSdkVersion.php deleted file mode 100644 index 013281baf72..00000000000 --- a/scripts/BumpPreviewSdkVersion.php +++ /dev/null @@ -1,15 +0,0 @@ - 1) { - # Increment release candidate - $rcVersion = ($rcMatches[1]) ? intval($rcMatches[1]) + 1 : 2; - $splitVersion[2] = "0-RC{$rcVersion}"; - } else { - # Increment minor version - $splitVersion[1] = strval(intval($splitVersion[1]) + 1); - # Set patch - $splitVersion[2] = '0'; - } - return implode(".", $splitVersion); -} - -function updateReadme(string $bumpedVersion) -{ - echo "Reading contents at ".README_FILEPATH."...\n"; - $fileContents = file_get_contents(README_FILEPATH); - if ($fileContents) { - $package = str_replace('/', '\/', PACKAGE_NAME); - $pattern = '/"'.$package.'"\s*:\s*".+"/'; - $replacement = '"'.PACKAGE_NAME.'": "^'.$bumpedVersion.'"'; - $numReplacements = 0; - $updatedContents = preg_replace($pattern, $replacement, $fileContents, -1, $numReplacements); - if (!$numReplacements) { - echo "Unable to find and replace SDK version\n"; - return; - } - echo file_put_contents(README_FILEPATH, $updatedContents) ? "Successfully updated ".README_FILEPATH. "\n" : "Failed to update ".README_FILEPATH."\n"; - return; - } - echo "Could not read contents at ".README_FILEPATH."\n"; -} - -function updateGraphConstants(string $filePath, string $bumpedVersion) -{ - echo "Reading contents at {$filePath}...\n"; - $fileContents = file_get_contents($filePath); - if ($fileContents) { - $pattern = '/'. SDK_VERSION_VAR_NAME . '\s+=\s+".+"/'; - $replacement = SDK_VERSION_VAR_NAME . " = \"{$bumpedVersion}\""; - $numReplacements = 0; - $updatedContents = preg_replace($pattern, $replacement, $fileContents, -1, $numReplacements); - if (!$numReplacements) { - echo "Unable to find and replace SDK version\n"; - return; - } - echo file_put_contents($filePath, $updatedContents) ? "Successfully updated {$filePath}\n" : "Failed to update {$filePath}\n"; - return; - } - echo "Could not read contents at {$filePath}\n"; -} diff --git a/src/GraphServiceClient.php b/src/GraphServiceClient.php deleted file mode 100644 index 35c99a0ae6d..00000000000 --- a/src/GraphServiceClient.php +++ /dev/null @@ -1,91 +0,0 @@ - $scopes Defaults to "https://[graph national cloud host]/.default" scope - * @param string $nationalCloud Defaults to https://graph.microsoft.com. See - * https://learn.microsoft.com/en-us/graph/deployments - * @param RequestAdapter|null $requestAdapter. Use createWithRequestAdapter() to set the request adapter. - */ - public function __construct( - TokenRequestContext $tokenRequestContext, - array $scopes = [], - string $nationalCloud = NationalCloud::GLOBAL, - ?RequestAdapter $requestAdapter = null - ) - { - if ($requestAdapter) { - parent::__construct($requestAdapter); - return; - } - parent::__construct(new GraphRequestAdapter(new GraphPhpLeagueAuthenticationProvider( - $tokenRequestContext, $scopes, $nationalCloud - ))); - } - - /** - * Get an instance of GraphServiceClient that uses $requestAdapter - * - * @param RequestAdapter $requestAdapter - * @param string $nationalCloud Used to build base URL of $requestAdapter if none has been specified - * Defaults to https://graph.microsoft.com. See https://learn.microsoft.com/en-us/graph/deployments - * @return GraphServiceClient - */ - public static function createWithRequestAdapter( - RequestAdapter $requestAdapter, - string $nationalCloud = NationalCloud::GLOBAL - ): GraphServiceClient - { - if (!$requestAdapter->getBaseUrl()) { - $requestAdapter->setBaseUrl("$nationalCloud/v1.0"); - } - $placeholder = new ClientCredentialContext('tenant', 'client', 'secret'); - return new GraphServiceClient($placeholder, [], 'placeholder', $requestAdapter); - } - - /** - * Returns the request adapter instance in use - * - * @return RequestAdapter - */ - public function getRequestAdapter(): RequestAdapter - { - return $this->requestAdapter; - } - - /** - * A method that abstracts the /me endpoint and users /users/{{user-id}} under - * the hood. - */ - public function me(): UserItemRequestBuilder { - $urlTplParameters = $this->pathParameters; - $urlTplParameters['user%2Did'] = 'me-token-to-replace'; - return new UserItemRequestBuilder($urlTplParameters, $this->requestAdapter); - } -}